a little of everything

Phil Gengler
2003-04-29 12:59:27

A lot's happened since my last update. Linus Torvalds shocked a lot of people by saying that he's not opposed to DRM on Linux, Larry Lessig and Rep. Zoe Logren are backing the REDUCE Spam bill (yes, that is it's name, and yes, the REDUCE does stand for something), Verizon lost it's bid to avoid having to release the name of an accused file-sharing subscriber to the RIAA, Streamcast won in court against the RIAA, Volvo filed a trademark infringement lawsuit against a small-town car museum and the MPAA vs. 321 Studios case was postponed, among other things. Some wins and some losses, which is unusual since mostly when a lot of stuff happens, it's all losses.

On Wednesday, Linus Torvalds, the man behind the Linux kernel for those who don't know, posted this thread to the Linux Kernel Mailing List, titled 'Flame Linus to a Crisp'. The gist of the email was his explanation of this quote: "I want to make it clear that DRM is perfectly ok with Linux!" Linus says that he's not playing politics with the kernel, and that he wants people to be able to do whatever they want with it, even if it's something he doesn't personally like, though he does explain why he feels that DRM (in the context of signing binaries and refusing to load unsigned ones) is a good thing. One of the biggest problems I see with DRM in this sense is that there's the potential for the operating system to totally prevent access to data or applications if the app is untrusted. I wouldn't have as much of a problem with this if it was ensured from day one that there would always be a way to get raw access to data, or to be able to run untrusted apps. And this doesn't even get into the issue of DRM in other context, like restricted data, that has limitations for accessing it.

For signing apps and such, I don't think that DRM is required, and I get the idea that Linus missed the point of just what DRM is. DRM is, to it's fullest extent, a way of managing access to protected works so that the copyright holder's rights aren't infringed by an unauthorized use of the device. There are a number of smaller parts to that, and one of the key ones is signing apps, and trusted apps, so that access to that data can be restricted to a whitelist of applications that can access that data (presumably since they would honor any and all of the usage restrictions on it). Simply signing apps, so that a person can verify that an application is really exactly what it should be, is perfectly acceptable, and strongly encouraged, in the wake of compromises of servers in which legitimate applications were replaced by trojaned versions. But this can be accomplished much more effectively, and without nearly as much controversy, by simply automating an MD5 or PGP/GPG key check before installing an application, and letting the user know if an app deviates from what it should be.

I agree with at least part of Linus' point, that signing apps is definitely a good idea, but I wouldn't go as far as to say it's almost required, especially with proposed ideas like Palladium, in which an application has to be trusted and allowed to get access to data. There is no reason to completely inhibit a person from accessing their own data or data which they have a right to access. That's why I feel there definitely needs to be a way to get around the restrictions, so that there is always a way to access the data, even if something goes wrong with the 'registry' of trusted apps and access controls (think Wndows registry corruption, but without a way to restore, and you have an idea of just how easily it could happen).

In a move towards satifying part A of Larry Lessig's spam-fighting wager (if a federal anti-spam law passes, and doesn't work, he would resign from his job), California Rep. Zoe Lofgren plans to introduce the "Restrict and Eliminate Delivery of Unsolicited Commercial E-mail Spam" (REDUCE Spam) bill into the House of Representatives. The bill would require the subject lines of e-mail advertisements to be prefixed with [ADV;], and also provides a 'bounty' system for reporting violators. The way the bounty works is, if an email is received that's an advertisement without the required prefix, then the first person to track down and report the sender would receive a percentage of the fine levied against the offender. The bill would also require valid return addresses, obeying and respecting choices to opt-out, and give the FTC power to collect fines against violators.

Personally, I don't think legislation is going to be able to do a whole lot against spam, most of which is sent by exploiting incompetent admins (usually in other countries) and trying to prevent it from being traced back in the first place. The use of open relays, frequently in Pacific countries like China and Taiwan, means that spammers will still have the means from which to send, and the SMTP protocol allows them to provide very little real information about the origin of the message. The bounty part will certainly compel technologically talented people to seek out the identities of spammers, but I'm curious about just how much claims are investigated. It's unlikely that the people who levy the fines are going to do the full research into it (it's almost a fact of government that the people who can do a job never get to do it), and so a clever person could simply provide fabricated evidence against an innocent party in order to claim the monetary reward. And even if the people investigating are talented enough to do it well, the sheer volume of complaints they would likely receive (some real, some not) would almost certainly keep them too busy to do the best job on any of the claims. While I don't like spam, and I have no respect for those who send it anonymously and without a way to opt-out, the potential abuses of a law like this against innocent people are too great, in my opinion. It seems likely that someone accused here would be labeled 'guilty until proven innocent', which is no way for a government to treat its citizens.

The RIAA won against Verizon in a case of copyright vs. privacy. The RIAA subpoenaed Verizon to reveal the name of one of its subscribers who they believed to be sharing files, as provided for in the DMCA. Verizon sought an injunction to prevent having to release the name, saying that the RIAA should have filed suit against John Doe, and then Verizon would have revealed the name as required under such a suit.

To me, cases like this really provide a look at why the DMCA is both redundant and bad. The RIAA, without the DMCA, has a perfectly accepted way to get the name of this person, subject to a judge allowing them, but they chose to take the route which obtained the same result, without the judicial review. I don't think it's all right to put the copyright holders in charge of enforcing copyright, especially in the case of large organizations against smaller ones or individuals who don't have the power to fight it. When that's the case, it doesn't really matter whether the copyright holder was right or wrong, because they just use their financial muscle to ensure compliance with whatever they want, with no regard to whether or not they actually have that right. When the RIAA decided they wanted the name of this person, they should have done exactly what Verizon says they should have done, filed suit against John Doe and then sought a judge's approval to compel Verizon to reveal the name. That way, they would have to present evidence of why they need to get the name, and if their case was without merit, or a blatant false accusation, it would have stopped there, without reaching the person at the end. And if they had a case, they would have gotten the name and then would have proceeded as normal. Giving the RIAA (or any private entity, for that matter) the power to do what would otherwise have required a judge, amounts to nothing more than allowing that entity to be vigilante, since they can accuse anyone of near anything, and not be subject to judicial review or any sort of reprimand for abuse of the power.

Though to put at least a dent in the RIAA's quest to eradicate any sort of file-sharing (beit legal or not), their case against Streamcast (makers of Grokster & Morpheus) was decided on Friday, with the victory going to Streamcast. The judge's decision likened the networks to VCRs or copy machines, which can infringe copyright but also have substantial noninfringing uses. The decision seems to be completely contrary to the Universal v. Reimardes case (Universal v. 2600), which said that 2600 Magazine couldn't link to the DVD decryption library DeCSS (though the cases were decided in different courts). It's a definite victory, and hopefully will go a long way toward reversing the modern trend toward assuming anything that can infringe copyright is only used for that role.

This seems like a good opportunity for me to explain exactly what my position is on file-sharing and copyright. A lot of people are under the impression that since I'm opposed to the DMCA and support rulings like this, that I support people downloading copyrighted material or blatantly infringing on copyrights. I think that copyright protection, and intellectual property law in general, is a very important part of new things being created. I believe that the creators of a work are entitled to their limited period of protection, and that this protection is critical to lots of areas of society. I think that if someone is downloading copies of copyrighted works that they would have no legitimate claim to (like downloading an MP3 of a song you own the CD of), then that's illegal and should be prosecuted. I don't think that people sharing files (so long as they have some legitimate claim to possessing them in the first place, like I just mentioned) are doing anything inherently illegal for the most part. If they're making an effort to encourage people to copy things (with a legit claim, blah blah blah) then they are most definitely facilitating copyright infringement, but I don't see a problem with someone ripping a CD and then sharing the digital copies for other people who own the album to download. The same goes for DVDs, and all sorts of other things.

I'm also opposed to the current length of a copyright term. The Constitution says that creators should be given a period of limited protection, because such protection is needed for progress in science and the arts. In other words, a creator's works are given protections so that the author can reap rewards from them, to create more works. And since I think it's designed to benefit the creator of a work, I don't see any reason why a copyright term should be any longer than the life of the author/creator. Once a person is dead, they can no longer benefit from sales or licensing of the work. The Constitution doesn't say that the son of a deceased creator should be able to make money off a work, it says that the creator is entitled to the protection so that they have incentive to create more. With current copyright terms, it's very possible for a third generation descendant to be in possession of the copyright of a years old work, and not do anything more than seek to make money from the work of someone they never knew. This isn't promoting science or the arts, it's promoting greed, at the expense of the public domain, the resources of which are often the basis for new scientific and artistic works.

Now that that's been said (and I will be more than happy to clarify any part of that), we have another example of IP abuse, in Volvo's filing of a WIPO complaint against the Volo Auto Museum alleging trademark infringement. The Volo Auto Museum is an antique and classic car museum in a town of around 200 residents, and Volvo is a worldwide auto manufacturer. Part of trademark infringement is that the accuser should have to show why they feel the other party is causing/cause harm to the finances or reputation of the accusing party. This should mean more than just being in a very general area (cars in this case) and having a similar name (Volvo/Volo); there should be (needs to be?) a very clear potential for confusing the two, and I highly doubt that a small town classic car museum is going to be mistaken for Volvo, or that any harm to Volvo's finances or reputation would result. And, since Volo is such a small group, they don't have the same means to be able to fight Volvo on this. I have a serious problem with companies who try and go after virtually defenseless groups or people, when groups or people more capable of fighting are guilty of the same behavior which is getting the small group in trouble (this is without regard to whether or not something is actually being done wrong).

And with this is more waiting for a case I've been watching with significant interest, the MPAA's suit against 321 Studios over their DVD-Copy product. The MPAA alleges that since the program allows a person to copy a DVD, it facilitates piracy and that 321 should be punished for selling it. 321 says the product is in no way designed for piracy or copyright infringement, and that it was designed for a DVD owner to be able to make a backup copy. The case was originally scheduled to be heard last Friday, but it was postponed.

This case seems like the embodiment of a point I made earlier, that groups like the MPAA feel that just because something can be used for piracy or copyright infringement, that it is only used for that, despite legitimate uses for the technology, like making a backup copy in case something should happen to the original (lost, scratched, etc.). It's ridiculous to think that a DVD or CD would last forever (though Jack Valenti has said that since a DVD is digital it should never need to be replaced), and equally ridiculous to require that if anything happens to the original, the only way to be able to listen to/watch it is to buy it again. From a profit standpoint, it's better for the RIAA/MPAA to make you buy everything multiple times, but very few people I know (and I assume in general, but I could be wrong) are not willing to buy the same thing several times. Especially following the actions and words of the RIAA/MPAA where their general idea is that you don't own the DVD or CD, but are instead buying a license to listen to the music or watch the movie that's on the physical media. Though if that were the case, they should have no problem replacing lost, stolen, or damaged media for not more than the cost of media, since we would already have purchased a license for the content, right?

And to finish things off, the final schedule for the remaining DMCA hearings is available. I will be at the 9:30 hearing on May 2, as I've said, and if anyone is interested in turning out in support or just to observe, there may be room for you to come along, if you let me know enough in advance.